- Cream Finance lost more than $19m in cryptocurrency to an unidentified hacker.
- The hacked DeFi protocol stopped the exploit by pausing supply and borrowing of contracts on the AMP token.
- After the attack, both the AMP token and Cream Finance’s native token, CREAM, witnessed a significant fall in prices.
In a recent cyber theft, it is estimated that hackers may have stolen more than $19 million in cryptocurrency assets from Cream Finance, a decentralized finance platform that enables users to loan and speculate cryptocurrency price variations.
According to Cream Finance, the hacker used a “reentrancy attack” in its “flash loan” feature resulting in a loss of 418,311,571 in AMP tokens and 1,308.09 in ETH coins. The hacker took advantage of a bug caused by the introduction of the amp token into the protocol.
Following the attack, Cream Finance announced that it stopped the exploit by pausing supply and borrowing on the AMP. They also informed users that no other markets were affected.
Additionally, members of Cream Finance confirmed the authenticity of the hacking incident. After reporting on its official channel – Discord, the members started working with PeckShield.
Reacting to the hack, PeckShield tweeted saying that the hacker made a 500 ETH Flash Loan and deposited the funds as collateral, then borrowed 19m AMP and exploited a reentrancy bug to re-borrow 355 ETH inside the Amp token transfer function, and finally self-liquidate the borrowed amount.
The hacker repeated the same process 17 times and was able to gain the tokens, worth about $19 million.
Cream Finance Suffers Second Hack in 2021
This is not the first time that Cream Finance has suffered a hack. Earlier this year, the DeFi platform was affected by a hack that allowed the hacker to steal $37.5 million. As per the reports, this hack’s root cause was the exploitation of Alpha Finance.
Apart from Cream Finance, similar incidents took place on Bilaxy crypto exchange that compromised about 295 ERC-20 tokens. While a hack on Liquid amounted to a loss of about $100 million.
As such, flash loans have remained one of the most controversial features of the decentralized finance ecosystem. It is mainly because there is no collateral required for the loans, and hence, they are more vulnerable to attacks.